Resources

Recent Posts

Recent Blog Posts

The PhishLabs Blog

The Anatomy of a Successful Ransomware Attack

Your head hangs, and your heart races. The instant you clicked, you knew something was wrong.

That email seemed so official, and all you did was follow a link… How did THIS happen?

But it’s too late for that now. What’s done is done.

You’ve been infected with ransomware, and now you’ll have to admit it to your boss.

Some difficult questions will be coming your way soon, but before we get to that…

What is Ransomware?!

Put simply, ransomware is malicious software (malware) that restricts access to computer systems or files, and demands that the victim pay a ransom in exchange for restored access.

Recent examples of widespread ransomware include CryptoLocker and CryptoWall, but it’s important to realize that this is not a new concept.

The very first ransomware, known as the “AIDS” Trojan, was created in 1989 and functioned very similarly to modern versions. Even in the modern Internet age ransomware has been around for over a decade, and by mid 2008 some versions used such advanced encryption methods that retrieving files computationally became almost impossible.

In late 2013, with Bitcoin as its payment currency, CryptoLocker burst onto the scenes and quickly inspired a variety of copycats with its high-profile success.

Up until this point payment had been a significant headache for the groups responsible for creating ransomware, due to the inherently traceable nature of traditional currencies. But by demanding payment in Bitcoin, and taking a few precautionary measures, the group behind CryptoLocker made millions of dollars in ransoms before their distribution botnet was taken down by a joint force of law enforcement agencies (including the FBI and Interpol), security software vendors, and universities.

Despite this victory, though, ransomware is only growing in popularity. More and more organizations are falling prey to ransomware, and most security vendors agree that the trend will continue to grow during 2016.

Should I Be Worrying Right Now?

We field a lot of questions about ransomware, but there’s one in particular that comes up time and time again.

“Are we at risk from ransomware?”

It’s not a difficult question to answer. Yes, you’re at risk… Everybody is at risk.

You see, there are plenty of ways for threat actors to spread ransomware. They create fake online advertisements and pop-ups, exploit known vulnerabilities to gain access to corporate networks, and even drop USB sticks loaded with ransomware in car parks and restrooms.

But above all other distribution methods, phishing is the threat actor’s weapon of choice. Phishing emails loaded with ransomware are being sent to consumers and corporations alike, and worse, the quality of the writing is getting better all the time.

A few years ago, most phishing emails were pretty easy to spot, with their dodgy spelling and conspicuous use of ‘Sir’ or ‘Madam’. These days, though, it’s not unheard of for threat actors to use espionage tactics against corporations and their partners purely to inform bespoke spear phishing campaigns.

They’re pulling out all the stops to infect your systems with ransomware, so yes, you need to be concerned.

But there’s no point in just being concerned. You need to do something. That’s why we’ve decided to run through the anatomy of a typical ransomware attack, so you’ll know what to look for, and what to avoid.

Who Shall We Extort Next?

Although mass spam campaigns are still a concern, the majority of corporate cases start with targeted attacks. Threat actors are surprisingly organized, and often focus their attentions on a specific organization or group.

If this happens to you, expect your attackers to research your organization in detail, looking for information about your systems, partners, and services to provide ammunition for their campaign.

And it doesn’t end with a few phishing emails.

Threat actors target privileged users and use social engineering tactics to gain access to as many of your assets as possible before they initiate a ransomware attack. In this way, they maximize your losses in the hopes that you’ll quickly cave and agree to pay the ransom.

Click Here to Lose Access

Once the target (you) has been chosen, and enough access has been granted, the ransomware will be deployed. The trigger might have been a malicious link in an email, a successful social engineering campaign, or a ransomware-ridden USB stick, but ultimately the result is the same.

Your files are locked up tight, and it seems like you either pay up, or shut up.

In reality it’s a bit more complex than that, and we’ll go through your options in a later article, but for now let’s keep it simple. Instead, let’s try to understand exactly how this locking process happens.

You see, most people assume the ransomware they’re infected with works all on its own. Some very simple ransomware packages do work in isolation, but they’re pretty ineffective and have largely fallen out of use. If a threat actor attempted to infect your network with a self-contained ransomware package, almost any security system would quickly identify and prevent it.

Instead, when activated, most ransomware packages attempt to contact so-called command and control (C&C) servers for further instruction. These instructions range from simply providing encryption keys to initiating further exploration and vulnerability scanning within your network.

And where early ransomware packages used static C&C servers, the latest versions include dynamic algorithms that attempt to connect to hundreds or even thousands of servers. This dramatically improves their chances of success, and makes defending yourself much more challenging.

OK Guys… What Have We Lost?

The very earliest versions of CryptoLocker simply encrypted the files on an infected user’s local computer. Annoying, yes, but usually not the end of the world unless the user happens to be your CEO.

But we’re well beyond that point now.

As we’ve already alluded to, the most sophisticated ransomware packages can identify other areas of your network to spread to, scan for vulnerabilities, and even prioritize the most recently accessed files and folders for encryption in case the process is interrupted.

They also, sadly, specifically search for and encrypt your backups.

When ransomware made a comeback in 2013, one of the earliest popularized defenses was to ensure users’ data was backed up regularly. That way, in the event of a ransomware attack, losses would be minimal.

Sadly, as always, threat actors catch on quickly. Your can almost guarantee that any backups saved on infected machines or servers will be among the first files to be targeted.

Pay Up or Shut Up

Chances are everything up to this point has gone completely unnoticed. The first you’ll know about the attack is when a pop-up fills your screen demanding a ransom in exchange for your files.

You’re kicking yourself for opening that email. For playing along. For not taking ransomware seriously until now.

But it’s too late for that.

Your attackers will let you know what they want, and by when. They’ll tell you exactly what you’ll do if you want to regain access to your files. Sometimes they’ll even allow you to decrypt a file or two, just to prove they’re for real.

And once you’ve paid, and your attacker has verified the payment, you’ll receive the private key and automatic decryption will start. Let’s just hope nothing goes wrong with the decryption process… because threat actors aren’t usually in the business of providing additional support.